Tag Archives: data protection act

There I was, at my desk on Monday morning, preoccupied with getting everything done before the Christmas break, and doing about 3 things at once (or trying to). An email hit my inbox with the subject “your account information has been changed”. Because I regularly update all my passwords, I’m used to these kinds of emails arriving from different companies – sometimes to remind me that I’ve logged in on this or that device, or to tell me that my password has been changed, and to check that I the person who actually changed it.

As I hadn’t updated any passwords for a couple of days, I was rather intrigued to see who had sent the email, and I immediately opened it. It was from Apple to say I’d added an email as a rescue email to my Apple ID.

Well that sounded wrong, so I clicked on the link to ‘Verify Now’ and was taken to a page that looked pretty legitimate.

I thought I should see what was actually going on, so I logged in to my Apple ID using my previous password. If I had been in any doubt, the fact that it accepted my out-of-date password made it very clear that this was a scam.

The site asked me to continue inputting my data. At the top of the pages are my name and address details. It’s also, for the first time, telling me that my account is suspended – always a hacker’s trick to get you worried and filling in information too quickly to think about what you’re actually doing.

Then the site starts to request credit card details and bank details …

And finally my date of birth so they can steal my identity, and a mobile number so that they can send me scam texts.

I know seven other people who received exactly the same email. And it’s just too easy to fall for, so any number of people could be waking up tomorrow with their identity stolen, and bank account and credit cards stripped of all money or credit.

With that in mind, here are some things to look out for in phishy (see what I did there) emails:

Check the email address the email came from! If it looks wrong – it probably is!

Hover your mouse over the links in the email to see where they take you. If this email had really been Apple it would have gone to an https:\\ address, at apple.co.uk

Check grammatical errors in the text of the letter

Now if you do fall for an email as well executed as this, and if I’m completely honest, I’m shocked at how close to a real Apple email and website they looked, make sure you notify your bank and credit card companies immediately. Change all of your passwords as soon as possible because if you use the same log in combination for any other accounts those could be targeted next.

Christmas has always been a time for giving. Now it’s become the prime time for taking.

So it’s getting closer and closer to Christmas – a time for giving, with more and more charity adverts on the TV, on the radio, on social media – in fact pretty much everywhere you look. Although Christmas can be a bit tight on the purse strings thousands of people still give to their favourite charities.

Whether you’re helping children, refugees, animals or cancer or medical research, these organisations all promote that the money goes to a good cause. Unless this ‘good cause’ is to pay an ICO fine…?

Two of the major charities we all know and love are the RSPCA and the British Heart Foundation. And both have been under investigation for secretly screening its donors aiming to target those with more money. This process is known as “wealth-screening”.

The two organisations hired wealth management companies who pieced together information on its donors from publicly available sources to build data on their income, property value and even friendship circles. This allowed for a massive pool of donor data to be created and sold.

The RSPCA and BHF were part of a scheme called Reciprocate where they could share and swap data with other charities to find prospective donors. Donors to both charities were given an opt-out option.

Information included in the scheme was people’s names, addresses, date of birth and the value and date of their last donation. The ICO ruled that the charities didn’t provide a clear enough explanation to allow consumers to make an educated decision what it was they were signing up for, and therefore ruled that they had therefore not given their consent.

The RSPCA has admitted that it was not aware of the actual charities with whom they were sharing their data. It also became clear that the charity shared data of those donors who had opted out.

The BHF insists it had all the correct permissions. However the ICO disagrees on the basis that the charities with whom they were sharing the data were not for similar causes.

The ICO has fined the RSPCA £25,000 and the British Heart Foundation £18,000. Ironically the BJF was praised on its data handling by the ICO in June this year, and it is likely to appeal the fine.

In my opinion I feel the whole thing is a mess. I like to give to charity when I can, which if I’m honest, isn’t as frequent as I’d like.

However when you hear of debacles like this, it really does put you off. I want my money to go to a good cause. I don’t want my data being shared without my knowledge so that other charities can investigate how much I earn, whether I own my property and what social circles I move in, and then decide whether I’m worth targeting. Surely these charities should be thankful for every single donation. The widow’s mite springs to mind.

I feel for the poor animals and souls that rely on these charities, who are I’m sure going to take a hit from these fines. It’s not their fault, yet no doubt it’s them that’s going to pay the price.

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

The new date for implementation of a proposed new data protection regulation (DPR) – has been pushed back to “by 2015”, thanks in part to David Cameron’s efforts to protect the interests of UK business. Germany were also supportive though Merkel’s reasoning was slightly different “… to ensure that it can reconcile the existing rights of its citizens.”

23.10.13

On 21st October, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation. Still a long way from being complete, but the latest from Europe is:

1. Pseudonymous data now has its own definition – currently “personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”.

2. Data Protection Officers: a data controller or processor must appoint a Data Protection Officer when processing personal data relation to over 5,000 data subjects in any consecutive 12-month period. Also where the core processing activities relate to processing location data, children’s data, sensitive personal data, or employees in large scale filing systems.

3. A new concept has been introduced – a European Data Protection Seal -a certification process which allows international data transfers outside the EEA to recipients that also hold a Seal.

4. Right to erasure: the right of data subjects to have their personal data erased if requested is still in the draft (originally “right to be forgotten”). And it’s been strengthened – if the data subject asks a controller to erase his data, the company should also forward the request to others where the data is replicated.

Pulling NSA’s teeth …

The Compromise text had some other changes, including new data protection rules designed to curb America’s spying activities. The intention is to make US secret court orders powerless, and to force companies based outside the EU, like Google and Facebook, to comply with European data protection laws if they operate in Europe. Powers to levy fines running into billions of Euros are being made available to discourage violation of the new rules.

For example, if a third country’s court, tribunal or other administrative authority requests a company (such as a social network or cloud provider) to disclose personal data processed in the EU, that company must notify the data protection authority and obtain their authorisation before any such data transfer can be made.

This step is largely due to Edward Snowden’s information about the American companies, platforms and social networking sites which have been forced to share substantial volumes of EU citizens’ personal online data (from emails and phone calls to video chats and web searches) with the National Security Agency (the US intelligence organisation which collects, monitors, decodes, translates and analyses foreign intelligence and counterintelligence information and data).

The third country issue has been ongoing since January 2012, when the proposed reform to the law was dropped after intense US lobbying. It now seems clear that the EU has had enough, particularly since the revelations that the NSA systems collected – in the single month from February 8th to March 8th – 24.8 billion telephone data and 97.1 billion computer data from across the globe – including UK, Germany and France.

In addition the French are aggrieved that, from December 2012 to January 2013, the NSA were reported to have made 70.3 million recordings of French individuals’ telephone data.

While the NSA is known to collect and store all phone records of all American citizens, their profligate global approach to privacy is clearly unacceptable, and Europe has taken steps to limit their – and other agencies and countries’ – powers.

So now it’s just the simple matter of balancing the need to combat terrorism versus people’s protection of the rights to privacy. Which makes it hardly surprising that this legislation is taking so long with a record-breaking 4,000 amendments so far. It is thought that there is a less than 50% chance of the new regulations going through in the time-frame, though final legislation is still anticipated before the European elections in May 2014.

India’s Draft Privacy Protection Bill

The issue of data protection in India has been generated for a number of reasons – not least, Europe’s concerns given the sheer volume of personal data that is transferred to India. Also, within India itself, there is concern among Indian citizens in relation to the combination of the use of personal identifiers (including biometric data) and extensive individual profiles.

India has been holding a set of roundtable talks since April 2013, with the goal of generating recommendations for a privacy regulatory framework. The last of those talks was held on October 19th between the Center for Internet and Society, the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India. Christopher Graham, the UK Information Commissioner, was among the speakers.

We’ll send more updates as they come through – in the meantime, if you have any concerns over how these or the existing DPA and PECR regulations might affect your business, don’t hesitate to contact us.

Earlier this week, Canada, the United States and the United Kingdom issued a joint statement making it clear that they intend to combine their resources to tackle the problem of caller ID spoofing.

Spoofing is a practice conducted by telemarketers who want to conceal their true identity rather than fulfil their legal obligation to identify themselves. Spoofers provide their caller ID with false information which may be a string of digits, or a random or stolen number belonging to a real person or organisation. It is on the increase, and makes it particularly difficult for the authorities to track down those responsible for non-compliant or illegal calls.

The various agencies responsible for enforcing telemarketing and privacy laws announced that they will coordinate their efforts through the international law enforcement network of the London Action Plan and the International Do Not Call Network. If they need the telecoms industry to provide help, they will ask those organisations within their respective countries.

Next steps are exploratory discussions, to be held later this month, to identify options focusing on enforcement, industry compliance and consumer education, technology and regulatory issues with the goal of considering solutions available to stop spoofing and to take action against those responsible.

DATA BREACHES AND FINES

What a monumental blunder …

We heard yesterday that The Ministry of Justice was on the receiving end of the ICO’s judgement, when it received a fine of £140,000 – after details of ALL the prisoners serving time at HMP Cardiff were emailed to three of the inmates’ families.

The fine goes back to 2011 – when, on 2nd August, the recipients received an email from a prison clerk which included a file containing details of the 1,182 inmates – including names, ethnicity, addresses, length of sentence, release dates, and the offence codes. Worse yet – this wasn’t the first time such a breach had occurred. Within the previous four weeks, the same error occurred twice – with details sent to different inmates’ families.

The ICO’s investigation found:

Clear lack of management and supervision at the prison, where the clerk concerned was found to have received limited training and experience, though he was left to work unsupervised.

Audit trails were lacking and the only reason the breach was identified was because one of the recipients reported receipt of the information to the prison.

Problems with the methods used to handle the prisoners’ records, such as the use of unencrypted floppy discs to transfer large volumes of data between networks

The importance of being registered …

If organisations process personal data, with a very few exceptions, they must register with the ICO and spell out the type of information they process. Not doing so is a criminal offence – as Hamed Shabani, sole director of payday loan company First Financial, discovered.

After failing to register, he and his company were prosecuted by the ICO and convicted in the Magistrate’s Court. As Director of the company, he was fined a modest £150 and ordered to pay £1,010.66 towards the costs of prosecution and a £20 victims’ surcharge. In addition, the company itself was fined £500, and also made to pay £1,010.66 towards costs plus a £50 victims’ surcharge.

The total bill of £2,741.32 compares rather unfavourably against the annual £35 notification fee he should have paid. It is also interesting to note that Hamed Shabani tried to remove his name from the company’s registration at Companies House in an attempt to avoid prosecution.

To quote Stephen Eckersley, ICO Head of Enforcement:

“Pay day loans companies hold important information about some of the most financially vulnerable people in the UK. This makes this company and its director’s decision not to face up to their legal responsibilities all the more concerning.

“Businesses must commit to looking after the information of their customers and this begins with making sure that they are registered. We will continue to use our enforcement powers to safeguard people’s information.”

The importance of a strong BYOD policy …

BYOD (Bring your own device) continues to be high on the ICO’s priority list – earlier this month, the Royal Veterinary College breached the DPA when a member of staff lost their camera whose memory card held 6 job applicant passport pictures. Unfortunately, the RVC had not briefed staff on how personal information stored for work should be looked after on personal devices.

Nearly half of all UK employees now use their smartphones, tablets, PCs for work purposes, and the number is growing. As a result, organisations must update their data protection policies to take this into account.

Stephen Eckersley said:

“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this. It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so its crucial employers are providing guidance and training to staff which covers this use.”

The importance of encryption …

If you are unlucky enough to have a portable device containing personal data stolen, it could cost you much more than simply replacing the device. As the owner of loans company Jala Transport discovered to his cost. He stopped his car at a set of traffic lights, only to have his car boot broken into. A hard drive – containing financial details of his 250 customers – was stolen, along with £3,600 cash.

Though the hard drive was password protected, the data within was not encrypted, and it included customers’ names, dates of birth, the payments made, and the identity documents provided to support the loan application. Because the hard drive had not been encrypted, all those customers were left wide open to the threat of identity theft.

The penalty could have been £70,000, but was reduced to £5,000 to reflect the limited financial resources of the company and the fact that the breach was reported voluntarily.

Stephen Eckersley said of this case:

“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected…

“The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure.”

Rates of identity fraud continue to rise

Identity fraud is the most significant threat facing the UK, making security a key issue not only for businesses but also for individuals. Not taking steps to protect personal data just gives fraudsters a license to steal. This is clearly illustrated by the stats – identity fraud now accounts for over half of all committed fraud and is still growing. CIFAS confirmed 114,000 frauds in the first half of 201, of which 52% involved impersonation or fake identity details. An additional 14% of frauds involved account takeover.

All the stories above reflect the importance of being and remaining data compliant and illustrate the penalties that can be imposed by the ICO. If you would like any advice on how to become and remain compliant, just call us for a no-obligation chat.

This article has been written to help companies, particularly SMEs, understand the significance and importance of strong data security and excellent staff training, specifically in relation to data protection compliance within their own businesses when dealing with personal and sensitive data.

Apart from the obvious necessity to keep your premises physically secure, and shred any confidential paperwork, there are four main areas covered by this article:

Computer Security

Encryption

Emails

Staff Training

Computer security

Protecting your computers and computer networks includes a number of steps, which can be relatively simple and straightforward to implement. As is often the way, anything is simple if you know what to do and how to do it. For example, simple security steps include:

Protection Installing firewalls and virus-checking tools

Updates Keeping the operating system updated automatically ongoing

Security updates Staying aware of the latest security patches and updates, and downloading when available

Back-ups are an essential part of computer hygiene – regular backups should be taken and kept separately so that if your computers are lost, you still have the information available.

Disposal When you get rid of a computer, it is vital to ensure that all personal information before you move it on. I always remove the hard drive, and smash it into small pieces – which is probably overkill, but it works for me! There are other “technical” solutions, but I prefer to destroy the hard drive and know that it’s gone for ever.

Spam filters Ensure that you either have spam filters on your computers or that you use an email provider that offers this service.

Encryption

If sensitive personal information is stolen or lost, it is highly likely to cause damage or distress. To minimise the risk of disclosure, any such personal information really should be encrypted. The truth is that login usernames and passwords offer only minimal protection – absolutely not enough to protect against illegal – or simply unauthorised – access. It is also worth remembering that enormous volumes of data can now be stored on tiny devices from memory sticks to smartphones.

Encryption can be a tricky area, so if you are uncertain of how encryption works, or the strengths and weaknesses of various types of encryption, Tony Schiffman can provide useful advice on how to keep your information secure. Just drop him a line at tony@datacompliant.co.uk

email security

Writing, sending and receiving emails is now taken for granted as just a part of everyday life. This may be why there are so many varied opportunities for error and carelessness. Some of the most common issues are summarised below:

if the contents of an email are sensitive, the email should be encrypted or password protected.

when you start to type in the name of the recipient, your software may automatically suggest similar addresses which you have used before. For example, I have a few Johns in my address book whom I email regularly. Each time, the auto-complete function offers me several Johns and I have to force myself to remember to check that I have picked up the right address before clicking “send”.

Group email addresses are a useful tool, but it is always worth double-checking who is included within the group and be certain that you eliminate anybody who should not receive your message.

If you want to copy someone on an email, but don’t want to share their email address, use the bcc function rather than the cc. When you use cc, all recipients will be able to see he email addresses of all other recipients to whom the email was sent.

Interesting (if irrelevant) note –we still use the term cc, which stands for carbon copy – going back to the days of typewriters when a sheet of coated carbon paper was placed between two or more sheets of paper. The pressure of the typewriter keys on the carbon papers would cause the ink to be transferred to the additional sheet(s) of paper, thus providing carbon copies. Bcc, of course, stands for blind carbon copy.

When sending a sensitive email from a secure server to a recipient whose server is insecure, the security of that email will be jeopardised. Always check the security of your recipient’s server / provider before sending your message.

Use spam filters on your computers, or use an email provider that offers spam filtering services.

Staff Training

Training your staff to keep data secure is also vital. Staff can be held responsible for data compliance breaches and may sue their company if they have not been given essential training.

Did you know that your staff can be prosecuted if they deliberately give out personal details without permission? So it’s essential that their access to personal or sensitive data is limited purely to what they need to do their job, and they are trained to understand what they can and cannot do. For example:

Discretion Your staff may receive enquiries from people who are trying to obtain personal details dishonestly – teach them how to handle such enquiries so that they cannot be tricked into providing inappropriate information.

Passwords Ensure your staff use strong passwords. The longer the better, and greater strength can be gained by combining letters, numbers, punctuation and other special characters, while using both upper and lower case letters.

Confidentiality It is, of course, essential that members of staff do not share their passwords or knowledge of sensitive or personal data with colleagues or friends.

Professionalism Staff members should be trained to be professional in their communications, and avoid any offensive communications, emails, or inappropriate dissemination of the details of other people or their private lives. They must be trained to understand that their inappropriate behaviour can bring your business into disrepute.

Spam They should not open spam – not even to unsubscribe or ‘request no further mailings’. If you do not have spam filters on your computers, when they receive spam, your staff members should be instructed that, when they receive spam, the email should be deleted.

Financial information They should be taught not to believe emails that appear to come from a bank or building society that asks for account or credit card details or password information

If you would like to discuss staff training with Data Compliant, please contact victoria@datacompliant.co.uk

Data Breaches

Data security falls into a number of areas. Based on the ICO’s stated data breaches from April to July 2013, it is clear that security and staff training are critical elements in protecting the personal data you hold. The types of breach noted during that period are illustrated in the diagram below. It is notable just how significant security and staff training are in the prevention of protecting personal and sensitive data.

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B. With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals. We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance, security or governance needs, please contact Victoria or Michelle on 01787 277742 or by email – victoria@datacompliant.co.uk or michelle@datacompliant.co.uk